Menu
I have two separate splunk queries: 1st Query : Outputs unique user count in last 24 hours 2nd Query : Outputs unique users count in last 24 hours in geo = US
I want to create a timechart that will show , a line chart with % of user everyday from US.
How can this be achieved.
338
A Splunk query is used to run a specific operation within the Splunk software. A Splunk query uses the software's Search Processing Language to communicate with a database or source of data. This allows data users to perform analysis of their data by querying it.
You can join the two queries by using :
|
So your query can look like this:
{firstQuery} as countUS| {secondQuery} as countTotal | eval perc=countUS/countTotal
You can use a conditional to count those from US
Example query:
index=data | timechart dc(user) as dc_user, dc(eval(if(geo=US,user,NULL))) as us_user | eval perc_us=round(us_user/dc_user*100,2) | table _time, perc_us
Alternatively you can use the SPL join command but that would be less efficient as it would have to read the data twice and join the results.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
